01Who we are
Bermuda Solution OÜ ("Bermuda", "we", "us", "our") is a private limited company incorporated in Estonia, with its registered office at Pärnu mnt 139e/2, 11317 Tallinn, Estonia. We are the controller of personal data described in this Privacy Policy unless stated otherwise.
This Privacy Policy explains what personal data we collect about visitors to our Website (https://bermuda-solutions.net) and our customers, why we collect it, how we use and share it, how long we keep it, and what rights you have under the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and the Estonian Personal Data Protection Act.
If you have questions about this Privacy Policy or about how we handle your data, please contact us at contact@bermuda-solutions.net.
02Categories of personal data we collect
We collect personal data in three main contexts: when you visit the Website, when you contact us, and when you become a customer.
2.1Website visitors
- Technical data: IP address, browser type and version, operating system, referrer URL, pages visited, date and time of visit, language preference, theme preference.
- Cookies and similar technologies: see Section 8.
- Communications via the chat widget or contact form: any information you choose to enter (such as your name, email address, company, message content).
2.2Prospective and existing customers
- Identification and contact data: full name, company name, position, email address, phone number, postal address.
- Account data: login credentials (in hashed form), API keys, SSH key fingerprints, language and theme preferences.
- Billing data: VAT number where applicable, billing address, transaction records, invoices, payment status. Payment-card data is processed by our payment service provider — we do not store full card numbers.
- Order and service data: services ordered, configurations, IP addresses allocated to you, server names and identifiers, support tickets and correspondence.
- Verification data: where required for risk, sanctions or fraud checks, copies of identity documents, business registration extracts and similar materials.
- Operational and security data: server access logs, network flow records, abuse reports, security-event records associated with your services.
2.3Communications
When you email us, write to us via Telegram, open a support ticket or chat with us, we keep the content of the communication, the metadata (date, time, sender) and any attachments for the purposes set out in Section 4.
We do not knowingly collect personal data from children under the age of 16. If you believe we hold data about a child without parental consent, please contact us so we can delete it.
03Where the data comes from
We collect personal data:
- directly from you, when you fill in a form, place an order, contact us, sign up to a newsletter, or otherwise interact with us;
- automatically, when you use the Website or the Services (server logs, traffic data);
- from third parties, where lawful — for example, from sanctions and anti-fraud databases, from payment service providers, or from public sources such as company registers — and only as necessary for the purposes described in this Privacy Policy.
04Why we use your data and the legal basis under the GDPR
We use personal data only where we have a lawful basis under Article 6 GDPR. Our purposes and legal bases are:
| # | Purpose | Categories of data | Legal basis (Art. 6 GDPR) |
|---|---|---|---|
| 1 | To respond to enquiries sent through the contact form, chat, email or Telegram | Identification, contact, communications | Pre-contractual steps at your request (Art. 6(1)(b)); legitimate interest in operating our business (Art. 6(1)(f)) |
| 2 | To enter into and perform a contract with you (provide the Services, manage your account, technical support) | Identification, contact, account, order, operational | Performance of contract (Art. 6(1)(b)) |
| 3 | To take payment, issue invoices, manage debt, keep accounting records | Identification, contact, billing | Performance of contract (Art. 6(1)(b)); legal obligation under Estonian accounting and tax law (Art. 6(1)(c)) |
| 4 | To verify your identity and screen against sanctions, fraud and abuse | Identification, verification, billing | Legal obligation (Art. 6(1)(c)); legitimate interest in preventing fraud, abuse and sanctions violations (Art. 6(1)(f)) |
| 5 | To operate, secure, monitor and troubleshoot the Services and our infrastructure (including handling abuse reports) | Operational and security, technical | Performance of contract (Art. 6(1)(b)); legitimate interest in network and information security (Art. 6(1)(f); Recital 49 GDPR) |
| 6 | To improve the Website and our services | Technical, aggregated usage data | Legitimate interest (Art. 6(1)(f)); consent for non-essential cookies (Art. 6(1)(a)) |
| 7 | To send service-related notices (maintenance, security, billing, contractual changes) | Identification, contact, account | Performance of contract (Art. 6(1)(b)); legal obligation where applicable (Art. 6(1)(c)) |
| 8 | To send marketing communications about our own services to existing customers | Identification, contact | Legitimate interest, with an opt-out (soft opt-in under the ePrivacy Directive). For non-customers: consent (Art. 6(1)(a)) |
| 9 | To establish, exercise or defend legal claims, comply with court orders or lawful requests, and respond to abuse complaints | Any relevant data | Legal obligation (Art. 6(1)(c)); legitimate interest (Art. 6(1)(f)) |
Where we rely on legitimate interests, we have carried out a balancing test to ensure that our interests do not override your fundamental rights and freedoms. You can ask us for further information about that balancing test at any time.
We do not use your personal data for automated decision-making producing legal or similarly significant effects on you, and we do not perform profiling within the meaning of Article 22 GDPR.
05Who we share your data with
We share personal data only with the categories of recipients listed below and only to the extent necessary:
- Group companies and personnel: our staff and contractors who need access to perform their duties, under appropriate confidentiality obligations.
- Hosting and infrastructure partners: data centre operators, network and connectivity providers, hardware suppliers and similar partners that help us deliver the Services.
- Payment service providers: to process card and bank payments and to comply with anti-money-laundering rules.
- Tools we use to run the business: customer-relationship management, ticketing, email delivery, analytics (where applicable), accounting, identity-verification and sanctions-screening providers.
- Professional advisers: accountants, auditors, lawyers and consultants under professional confidentiality.
- Public authorities and law enforcement: where we are legally required to disclose data, or where disclosure is necessary to protect the rights, property or safety of Bermuda, our customers or third parties — including the Estonian Data Protection Inspectorate, the Estonian police, CERT-EE, tax authorities, and competent EU bodies under the Digital Services Act and similar regulations.
- Acquirers: in the event of a merger, acquisition, restructuring or sale of all or part of our business — subject to confidentiality and to your rights under the GDPR.
We do not sell personal data and we do not share it with advertising networks.
06International transfers
We aim to keep personal data within the European Economic Area ("EEA"). Where a service provider is located outside the EEA, we transfer personal data only:
- to a country that the European Commission has decided ensures an adequate level of data protection; or
- under appropriate safeguards as set out in Article 46 GDPR — typically the European Commission's Standard Contractual Clauses (2021), supplemented by additional technical and organisational measures where required following the Schrems II judgment.
You can ask us for a copy of the safeguards in place by writing to contact@bermuda-solutions.net.
07How long we keep your data
We keep personal data only for as long as necessary for the purposes set out in this Privacy Policy, after which we delete it or anonymise it. Typical retention periods are:
- Enquiries from people who do not become customers: up to 12 months from the last contact.
- Account, contract and order records: for the duration of the customer relationship and for up to 7 years after termination, in line with Estonian Accounting Act requirements.
- Billing and tax documents (invoices): 7 years from the end of the financial year, in accordance with the Estonian Accounting Act.
- Server access and security logs: typically up to 12 months, longer where required for an active investigation, an abuse case or a legal claim.
- Customer-area session logs and authentication logs: typically up to 12 months.
- Identification and verification documents collected for AML / sanctions checks: as required by applicable law (typically 5 years after the end of the relationship).
- Marketing-related data: until you object or withdraw your consent.
- Backups: deleted in accordance with our backup-rotation schedule (typically up to 90 days).
Where the law requires a longer retention period, we will keep the data for that longer period.
08Cookies and similar technologies
The Website uses cookies and similar technologies. You can manage your preferences through the cookie banner and the "Cookie Settings" link in the footer at any time.
We use the following categories:
- Strictly necessary cookies are required for the Website to function (for example, to remember your language choice or theme preference, or to keep you signed in to the customer area). They do not require your consent and cannot be switched off in our systems.
- Functional cookies remember choices you have made (such as preferred language) to give you a more personal experience. We use them on the basis of your consent.
- Analytics cookies help us understand how visitors use the Website so we can improve it. They are aggregated and, where possible, IP-anonymised. We use them on the basis of your consent.
- Marketing cookies would be used to deliver advertising that is relevant to you on third-party sites. We do not currently use marketing cookies. If we do in future, we will obtain your prior consent.
Most browsers allow you to control cookies through their settings. Disabling cookies may affect Website functionality.
09Your rights under the GDPR
Subject to the conditions set out in the GDPR, you have the following rights:
- Right of access (Art. 15): to obtain confirmation as to whether we process personal data about you, and to receive a copy of that data.
- Right to rectification (Art. 16): to have inaccurate personal data corrected and incomplete personal data completed.
- Right to erasure (Art. 17), also known as the "right to be forgotten": to have personal data erased in certain circumstances.
- Right to restriction of processing (Art. 18): to ask us to restrict processing in certain circumstances.
- Right to data portability (Art. 20): to receive personal data you provided to us in a structured, commonly used, machine-readable format, and to have it transmitted to another controller where technically feasible.
- Right to object (Art. 21): to object, on grounds relating to your particular situation, to processing based on legitimate interests; and to object at any time to processing for direct-marketing purposes.
- Right to withdraw consent (Art. 7(3)): where processing is based on consent, you can withdraw your consent at any time, without affecting the lawfulness of processing carried out before withdrawal.
- Right to lodge a complaint with a supervisory authority (Art. 77): in particular with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, https://www.aki.ee), or with the supervisory authority of the EU/EEA country where you live or work.
To exercise any of these rights, please contact us at contact@bermuda-solutions.net. We may need to verify your identity before responding. We will respond within one month of receiving your request, which we may extend by a further two months for complex or numerous requests, in which case we will inform you within the original month.
10Security
We implement technical and organisational measures appropriate to the risk in order to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access, including:
- physical security at our facilities and at our data-centre partners;
- network segmentation, firewalls, intrusion detection and DDoS mitigation;
- encryption of data in transit (TLS) and, for sensitive data, at rest;
- access controls based on the principle of least privilege, with multi-factor authentication for administrative access;
- secure development and change-management practices;
- regular backups and tested recovery procedures;
- security awareness training for personnel;
- written contracts with all processors as required by Article 28 GDPR.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Estonian Data Protection Inspectorate within 72 hours of becoming aware of it, in accordance with Article 33 GDPR. Where the breach is likely to result in a high risk, we will also notify affected individuals without undue delay, in accordance with Article 34 GDPR.
11Customer data hosted on the Services
When you use our Services to host workloads, you may process personal data of your own users on our infrastructure. In that context, you are the controller of that data and we are your processor within the meaning of Article 28 GDPR. We process such data only on your documented instructions, do not use it for our own purposes, and will sign a data-processing addendum (DPA) with you on request.
You are responsible for:
- having a lawful basis to process the personal data of your users;
- providing them with the information required by Articles 13 and 14 GDPR;
- responding to requests from your users to exercise their rights under the GDPR;
- securing your applications, configurations and credentials.
12Changes to this Privacy Policy
We may update this Privacy Policy from time to time, in particular to reflect changes in law, in our services or in our processing activities. The most recent version is always available on the Website, with the "Last updated" date at the top. Where the changes are material, we will give you reasonable advance notice (typically by email to the account contact).
13Contact
If you have any questions, comments or complaints about this Privacy Policy or about how we handle personal data, please contact us:
Bermuda Solution OÜ
Pärnu mnt 139e/2, 11317 Tallinn, Estonia
Email: contact@bermuda-solutions.net
Telegram: @bermudasolution
You can also contact the Estonian Data Protection Inspectorate at:
Tatari 39, 10134 Tallinn, Estonia
https://www.aki.ee